Privacy & Policy

    1. Data Controller

    LT91 d.o.o.
    Modrejce 2a, Most na Soči, Slovenia
    Company registration number: 9257802000
    VAT number: SI 50051024
    E-mail: info@tulie.si
    Website: https://tulie.si
    (hereinafter: the “controller”)

    2. General

    The controller processes the personal data of individuals in accordance with applicable data protection legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the GDPR), and the Slovenian Personal Data Protection Act (ZVOP-2, Official Gazette of the Republic of Slovenia, No. 163/22).

    The purpose of this privacy policy is to inform individuals whose personal data the controller processes, in a comprehensive and transparent manner, about the categories of personal data, the purposes and legal bases of processing, the retention periods, the recipients of the data, and the rights of individuals in relation to the processing of their personal data.

    3. Categories of Personal Data

    3.1 Personal data provided directly by the individual

    The controller collects and processes personal data that the individual provides when making a reservation, subscribing to the newsletter, or contacting the controller, namely:

    • personal name (first name and surname),
    • e-mail address,
    • telephone number,
    • reservation details (arrival and departure dates, type of accommodation unit, price of the service, special requests),
    • payment details (payment card number, expiry date, CVV security code). This data is transmitted directly to the relevant payment service provider and is not stored by the controller.

    3.2 Personal data collected automatically

    When visiting the controller’s website, the following technical data is collected automatically:

    • IP address,
    • type and version of the web browser,
    • operating system of the device,
    • website visit data (time of visit, subpages viewed, time spent on each page),
    • data stored in cookies and similar tracking technologies.

    4. Purposes of Processing and Legal Bases

    The controller processes personal data for the following purposes and on the following legal bases:

    4.1 Managing reservations and providing accommodation services

    The legal basis for processing is the performance of a contract or the taking of steps at the individual’s request prior to entering into a contract, in accordance with Article 6(1)(b) of the GDPR. Provision of the personal data is a condition for entering into the contract. Without the required data, the controller cannot process the reservation or provide the contractual accommodation service.

    4.2 Sending newsletters and notifications about offers

    The legal basis for processing is the individual’s consent, in accordance with Article 6(1)(a) of the GDPR. Consent is voluntary and the individual may withdraw it at any time without any consequences for the exercise of their rights, either via the unsubscribe link in the e-mail message or by a request sent to the e-mail address info@tulie.si.

    4.3 Web analytics and optimisation of website performance

    The legal basis for processing is the controller’s legitimate interest, in accordance with Article 6(1)(f) of the GDPR, or the individual’s consent obtained via the cookie manager where this is required by applicable legislation.

    4.4 Fulfilling the controller’s legal obligations

    The legal basis for processing is compliance with a legal obligation to which the controller is subject, in accordance with Article 6(1)(c) of the GDPR. Such obligations arise in particular from tax legislation and the Hospitality Industry Act.

    5. Personal Data Retention Periods

    The controller retains personal data only to the extent and for the period necessary to achieve the purpose for which it was collected, or for the period prescribed by applicable legislation. Once the retention period expires, the controller permanently deletes or anonymises the data. Retention periods by category:

    • reservation and guest data: 10 (ten) years from the occurrence of the business event, in accordance with the requirements of tax legislation and the Hospitality Industry Act,
    • e-mail addresses of newsletter subscribers: until the individual withdraws consent,
    • analytics data obtained via Google Analytics: 26 (twenty-six) months or until consent is withdrawn,
    • data stored in cookies: in accordance with the validity periods of the individual cookies, as set out in the controller’s Cookie Policy.

    6. Recipients of Personal Data

    The controller does not sell individuals’ personal data to third parties. It may disclose personal data to the following categories of processors, which the controller has authorised to process personal data on its behalf and which are bound to the controller by a data processing agreement in accordance with Article 28 of the GDPR:

    • e-mail marketing service provider (MailerLite): for the purpose of sending newsletters,
    • online reservation system provider: for the purpose of managing reservations,
    • web analytics service provider (Google Analytics): for the purpose of analysing website traffic,
    • social media service providers (e.g. Meta Pixel): for the purpose of measuring the effectiveness of advertising campaigns,
    • web hosting and IT infrastructure service provider,
    • authorised accounting and tax advisors, to the extent required by applicable legislation.

    All processors are required to ensure an adequate level of personal data protection and must not process personal data for purposes that are not in accordance with the controller’s instructions.

    7. International Transfers of Personal Data to Third Countries

    Some of the processors with which the controller works (in particular Google LLC, Meta Platforms Inc. and MailerLite, operated by Intuit Inc.) are based in the United States of America or in other third countries outside the European Economic Area (EEA). Transfers of personal data to these third countries are carried out on the basis of appropriate safeguards in accordance with Chapter V of the GDPR, in particular:

    • standard contractual clauses adopted by the European Commission (SCCs),
    • European Commission adequacy decisions regarding the level of protection in a particular third country,
    • other legally permissible transfer mechanisms.

    The individual has the right to request more detailed information about the safeguards applied to the transfer of data to a particular processor, by a request sent to the e-mail address info@tulie.si.

    8. Cookies

    The controller’s website uses cookies and comparable tracking technologies to ensure the functioning of the site, for analytics and for advertising. The controller obtains the individual’s consent for the placement of non-essential cookies (analytics, advertising) via the cookie manager on the first visit to the website.

    Detailed information about the types of cookies, the purposes of their use, their validity periods, and the procedure for managing or withdrawing consent is set out in the Cookie Policy, available on the tulie.si website. The individual may withdraw consent for non-essential cookies, in whole or in part, at any time via the cookie manager.

    9. Rights of Individuals

    An individual whose personal data is processed by the controller has the following rights under the provisions of the GDPR:

    • Right of access (Article 15 of the GDPR): the individual has the right to obtain from the controller confirmation as to whether personal data concerning them is being processed, and access to that data together with information about the purposes, categories and recipients of the processing.
    • Right to rectification (Article 16 of the GDPR): the individual has the right to request the rectification of inaccurate personal data or the completion of incomplete personal data.
    • Right to erasure (Article 17 of the GDPR): the individual has the right to request the erasure of personal data concerning them where there is no legal basis for its further processing.
    • Right to restriction of processing (Article 18 of the GDPR): the individual has the right to request the restriction of the processing of personal data in the cases set out in Article 18 of the GDPR.
    • Right to data portability (Article 20 of the GDPR): the individual has the right to receive personal data in a structured, commonly used and machine-readable format, and the right to transmit it to another controller.
    • Right to object (Article 21 of the GDPR): the individual has the right to object at any time to the processing of personal data based on the controller’s legitimate interest, or to processing for direct marketing purposes.
    • Right to withdraw consent: where processing is based on consent, the individual has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

    A request to exercise any of the above rights is to be submitted by the individual in writing to the e-mail address info@tulie.si. The controller will respond to the request within 30 (thirty) days of its receipt. In the case of complex or numerous requests, this period may be extended by an additional 60 (sixty) days, of which the controller will inform the individual in advance. For the purpose of verifying identity, the controller is entitled to request the submission of appropriate proof of identity.

    10. Right to Lodge a Complaint with a Supervisory Authority

    Without prejudice to any other administrative or judicial remedy, the individual has the right to lodge a complaint with the competent supervisory authority if they consider that the processing of personal data concerning them infringes the provisions of the GDPR or ZVOP-2.

    The competent supervisory authority in the Republic of Slovenia is:

    Information Commissioner of the Republic of Slovenia
    Dunajska cesta 22, 1000 Ljubljana
    E-mail: gp.ip@ip-rs.si
    Website: https://www.ip-rs.si

    11. Security of Personal Data

    The controller implements appropriate technical and organisational measures to ensure the security of personal data and to protect it against unauthorised or unlawful access, accidental loss, destruction or disclosure. Security measures include, in particular, encryption of data in transit using the SSL/TLS protocol, access rights control, and regular training of persons authorised to process personal data.

    In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, the controller will notify the competent supervisory authority of the breach without undue delay, and, in the cases set out in Article 34 of the GDPR, also the affected individuals.

    12. Protection of Personal Data of Minors

    The controller’s services are not intended for persons under 16 (sixteen) years of age. The controller does not knowingly collect the personal data of such persons. If it is established that the data of a minor was obtained without valid parental consent, the controller will permanently delete such data without delay.

    13. Changes to the Privacy Policy

    The controller reserves the right to amend this privacy policy where necessary in order to comply with applicable legislation, decisions of competent authorities, or changes in the controller’s business practices. The current version of the privacy policy is always available on the tulie.si website, stating the date of the last update. In the event of material changes, the controller will notify individuals whose contact details are known to it by direct message.

    We recommend that individuals review this privacy policy regularly.

    14. Contact Details of the Controller

    For any questions, requests or complaints regarding the processing of personal data, the individual may contact the controller:

    LT91 d.o.o.
    Modrejce 2a, Most na Soči, Slovenia
    E-mail: info@tulie.si
    Website: https://tulie.si